From owner-freebsd-doc@FreeBSD.ORG Sun Nov 12 14:57:58 2006 Return-Path: X-Original-To: freebsd-doc@freebsd.org Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67D7A16A407 for ; Sun, 12 Nov 2006 14:57:58 +0000 (UTC) (envelope-from lgusenet@be-well.ilk.org) Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net [69.17.117.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 731FB43D55 for ; Sun, 12 Nov 2006 14:57:57 +0000 (GMT) (envelope-from lgusenet@be-well.ilk.org) Received: (qmail 15521 invoked from network); 12 Nov 2006 14:57:56 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 12 Nov 2006 14:57:56 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id E3ADD28467; Sun, 12 Nov 2006 09:57:55 -0500 (EST) To: lothrandil@n00b.apagnu.se (Niclas Zeising) References: <200611121400.kACE0g76065119@freefall.freebsd.org> From: Lowell Gilbert Date: Sun, 12 Nov 2006 09:57:55 -0500 In-Reply-To: <200611121400.kACE0g76065119@freefall.freebsd.org> (Niclas Zeising's message of "Sun, 12 Nov 2006 14:00:42 GMT") Message-ID: <44lkmg7lvw.fsf@be-well.ilk.org> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-doc@freebsd.org Subject: Re: docs/104403: man security should mention that the usage of the X Window Systen is only possible with kern.securitylevel=-1 X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-doc@freebsd.org List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Nov 2006 14:57:58 -0000 lothrandil@n00b.apagnu.se (Niclas Zeising) writes: > The following reply was made to PR docs/104403; it has been noted by GNATS. > > From: Niclas Zeising > To: Giorgos Keramidas > Cc: bug-followup@freebsd.org, doc@freebsd.org > Subject: Re: docs/104403: man security should mention that the usage of the > X Window Systen is only possible with kern.securitylevel=-1 > Date: Sun, 12 Nov 2006 14:55:42 +0100 > > Giorgos Keramidas wrote: > > On 2006-11-12 10:52, Niclas Zeising wrote: > >> Giorgos Keramidas wrote: > >>>> With kern.securitylevel=0 or higher it is not possible to start X. > >>> You can still use `xdm' or a similar way of starting X11, because > >>> it will be started by init(8) before the securelevel is raised by > >>> the `/etc/rc.d/securelevel' script. > >>> > >>> I don't think this is worth mentioning in security(7), because > >>> we can't possibly document *ALL* the possible things that can > >>> fail with a bumped securelevel. > >> It it probably worth mentioning somewhere, as it will avoid some foot > >> shooting from unaware users. One can discuss though that if the extra > >> security provided by the security level is needed, maybe the system > >> shouldn't run X in the first place. > > > > I'm not sure. > > > > Should we also mention that you can't "installworld" with an elevated > > securelevel, because chflags may fail to work and cause problems? > > Should we also mention that not being able to change the firewall rules > > can be tricky, if you are testing your new firewall ruleset, and get > > locked out? > > > > There are *MANY* ways in which an elevated securelevel can turn around > > and bite you in the ass, but do we _really_ have to enumerate them all > > in mind-boggingly detail? ... in a single manpage? > > > > I really don't know. > > > > I believe they should be documented somewhere, to avoid questions. Sure, but they already are. Given that both the X and installworld issues have been in the FAQ for years, I don't think adding MORE documentation will help.